How to delete an acl in zookeeper

How can i delete an acl in zookeeper. 

I seen a blog which has outlines steps in hortonworks. I am not using Horton. 

zookeeper.set.acl - false. 

[desind@zookeeper1~]$ zookeeper-shell localhost:2181 rmr /kafka-acl/Topic
Connecting to localhost:2181
WatchedEvent state:SyncConnected type:None path:null
Authentication is not valid : /kafka-acl/Topic


desind@zookeeper-1~]$ zookeeper-shell localhost:2181 getAcl /kafka-acl/Topic
Connecting to localhost:2181


WatchedEvent state:SyncConnected type:None path:null
: r
: cdrwa


I need to delete the sasl,desind:cdrwa


You are not running HDP so are you on MapR or Cloudera?

I tweaked it a little bit it should work in Cloudera

Go to Cloudera zookeeper server home


# cd $CDH_HOME/zookeeper-server


Run below command


java -cp "./zookeeper.jar:lib/slf4j-api-1.6.1.jar" org.apache.zookeeper.server.auth.DigestAuthenticationProvider super:password


The output should look like below


SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See <a href="<a href="" target="_blank"></a>" target="_blank"><a href="</a" target="_blank"></a</a>> for further details.


Copy the super:DyNYQEQvajljsxlhf5uS4PJ9R28=  text and login to Cloudera Manager and goto zookeeper config.
Add below to zookeeper-env template config


export SERVER_JVMFLAGS="$SERVER_JVMFLAGS -Dzookeeper.DigestAuthenticationProvider.superDigest=super:DyNYQEQvajljsxlhf5uS4PJ9R28="


Save and Restart Zookeeper and launch zookeeper shell on CDH cli


# . /bin/ -server


addauth as below

Now to removing  the ACL should work
Now try to delete an ACL in zookeeper this should work.


addauth digest super:password


Unfortunately, I don't have a CDH sandbox  so you might have to adjust some cmds



Can you explain at a high level if possible what these steps are doing and why  we are doing these ? 

Technically there is an acl under my name and when i get a token as myself i should be able to delete the acls. 

By default, Zookeeper runs without the option of becoming a superuser to administrate znodes in the ZK ensemble, for example, to fix ACLs, remove znodes that are not required anymore, or create new ones in specific locations. Zookeeper grants permissions through ACLs through different schemas or authentication methods, such as 'world', 'digest', or 'sasl' if we use Kerberos. We can potentially we locked out if we were to grant everyone just read permissions to a znode, as we would not be able to delete it or modify it anymore.



@SheltonI am still getting the same error . How can i verify that the SERVER_JVMFLAGS have taken effect ? I dont see it in running config. (ps -ef | grep -i zookeeper) . I also dont see it in zoo.cfg


[zk: 0] addauth digest super:password
[zk: 1] ls /kafka
kafka-acl kafka-acl-changes kafka-acl-extended kafka kafka-acl-extended-changes
[zk: 1] ls /kafka-acl
[Group, Cluster, Topic, TransactionalId, DelegationToken]
[zk: 2] deleteall /kafka-acl/Topic
Authentication is not valid : /kafka-acl/Topic



I can see the error Authentication is not valid  but it seems you didn't use the format


  instead, your input was as below according to the steps you shared.

addauth digest super:password

And then  delete  the znode  that should work

[zk: 2] deleteall /kafka-acl/Topic

Please do that and revert